-
Bug
-
Resolution: Unresolved
-
Major
-
4.22.0
-
None
Description of problem:
The Windows Machine Config Operator fails to establish SSH connections to Windows machines when running in FIPS 140-only mode. The operator attempts to use ED25519 SSH keys which rely on Curve25519/X25519 cryptography, which is not FIPS 140-2 compliant. This prevents the operator from configuring Windows nodes in FIPS-enabled OpenShift clusters. This bug affects only to Windows instances created by machinesets, as the configuration of the OpenSSH server takes places in the `windows-user-data` and does not take into account the FIPS-supported handshake algorithm. The crypto policies of the OpenSSH server running in the Windows instance must follow same configuration of the Linux control plane, present on /etc/crypto-policies/back-ends/openssh.config sample content: Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 GSSAPIKeyExchange no KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 RequiredRSASize 2048
Version-Release number of selected component (if applicable):
WMCO 10.20.1 Go Version: go1.24.4 (Red Hat 1.24.4-2.el9) X:strictfipsruntime linux/amd64 Platform: AWS
How reproducible:
Always reproducible in FIPS-enabled clusters
Steps to Reproduce:
1. spin OCP 4.20 cluster, with fips enabled
2. create and deploy fips private key, i.e. rsa 4096
3. install windows machineset
4. follow the operator logs for error
"error": "ssh: handshake failed: curve25519: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"}
Actual results:
SSH connection fails with: curve25519: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode Windows node configuration never completes
Expected results:
SSH connection should succeed with FIPS-compliant keys (RSA ≥2048 or ECDSA NIST P-curves) Windows node should be successfully configured
Additional info:
# RSA 4096 (FIPS-compliant) ssh-keygen -t rsa -b 4096 -f id_rsa_fips -N "" Considerations: Enhance error messages to guide users toward FIPS-compliant alternatives Update WMCO documentation to specify FIPS key requirements
WMCO Log
3Z INFO Starting EventSource {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap", "source": "kind source: *v1.MachineConfig"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "imagedigestmirrorset", "controllerGroup": "config.openshift.io", "controllerKind": "ImageDigestMirrorSet", "source": "kind source: *v1.ImageDigestMirrorSet"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "imagedigestmirrorset", "controllerGroup": "config.openshift.io", "controllerKind": "ImageDigestMirrorSet", "source": "kind source: *v1.ImageTagMirrorSet"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "secret", "controllerGroup": "", "controllerKind": "Secret", "source": "kind source: *v1.Secret"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "controllerconfig", "controllerGroup": "machineconfiguration.openshift.io", "controllerKind": "ControllerConfig", "source": "kind source: *v1.ControllerConfig"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap", "source": "kind source: *v1.ConfigMap"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap", "source": "kind source: *v1.Node"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap", "source": "kind source: *v1.Node"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "certificatesigningrequest", "controllerGroup": "certificates.k8s.io", "controllerKind": "CertificateSigningRequest", "source": "kind source: *v1.CertificateSigningRequest"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "secret", "controllerGroup": "", "controllerKind": "Secret", "source": "kind source: *v1.Secret"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "namespace", "controllerGroup": "", "controllerKind": "Namespace", "source": "kind source: *v1.ServiceMonitor"}
2026-01-23T20:45:33Z INFO Starting EventSource {"controller": "namespace", "controllerGroup": "", "controllerKind": "Namespace", "source": "kind source: *v1.Namespace"}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "controllerconfig", "controllerGroup": "machineconfiguration.openshift.io", "controllerKind": "ControllerConfig"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "controllerconfig", "controllerGroup": "machineconfiguration.openshift.io", "controllerKind": "ControllerConfig", "worker count": 1}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "secret", "controllerGroup": "", "controllerKind": "Secret"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "secret", "controllerGroup": "", "controllerKind": "Secret", "worker count": 1}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "node", "controllerGroup": "", "controllerKind": "Node"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "node", "controllerGroup": "", "controllerKind": "Node", "worker count": 1}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "imagedigestmirrorset", "controllerGroup": "config.openshift.io", "controllerKind": "ImageDigestMirrorSet"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "imagedigestmirrorset", "controllerGroup": "config.openshift.io", "controllerKind": "ImageDigestMirrorSet", "worker count": 1}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "certificatesigningrequest", "controllerGroup": "certificates.k8s.io", "controllerKind": "CertificateSigningRequest"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "certificatesigningrequest", "controllerGroup": "certificates.k8s.io", "controllerKind": "CertificateSigningRequest", "worker count": 1}
2026-01-23T20:45:35Z DEBUG controllers.registry reconciling {"name": "/"}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "namespace", "controllerGroup": "", "controllerKind": "Namespace"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "namespace", "controllerGroup": "", "controllerKind": "Namespace", "worker count": 1}
2026-01-23T20:45:35Z DEBUG controllers.metrics reconciling {"name": "/openshift-windows-machine-config-operator"}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "machine", "controllerGroup": "machine.openshift.io", "controllerKind": "Machine"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "machine", "controllerGroup": "machine.openshift.io", "controllerKind": "Machine", "worker count": 1}
2026-01-23T20:45:35Z DEBUG controller.windowsmachine reconciling {"windowsmachine": {"name":"jvaldes-clus-20260123-nlddp-winworker-us-east-1d-cw7n7","namespace":"openshift-machine-api"}}
2026-01-23T20:45:35Z DEBUG events Cluster monitoring openshift.io/cluster-monitoring label is enabled in openshift-windows-machine-config-operator namespace {"type": "Normal", "object": {"kind":"Namespace","name":"openshift-windows-machine-config-operator","uid":"b73dfe1c-c38c-43cd-97df-8b46efc93e6f","apiVersion":"v1","resourceVersion":"45637"}, "reason": "monitoringEnabled"}
2026-01-23T20:45:35Z DEBUG controllers.metrics reconciling {"name": "openshift-windows-machine-config-operator/windows-exporter"}
2026-01-23T20:45:35Z INFO Starting Controller {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap"}
2026-01-23T20:45:35Z INFO Starting workers {"controller": "configmap", "controllerGroup": "", "controllerKind": "ConfigMap", "worker count": 1}
2026-01-23T20:45:36Z INFO controller-runtime.metrics Serving metrics server {"bindAddress": "0.0.0.0:9182", "secure": true}
2026-01-23T20:45:50Z DEBUG controllers.secret reconciling {"secret": "openshift-windows-machine-config-operator/cloud-private-key"}
2026-01-23T20:45:50Z DEBUG controllers.secret reconciling {"secret": "openshift-windows-machine-config-operator/windows-machine-config-operator-tls"}
2026-01-23T20:45:50Z INFO controller.windowsmachine processing {"windowsmachine": {"name":"jvaldes-clus-20260123-nlddp-winworker-us-east-1d-cw7n7","namespace":"openshift-machine-api"}, "address": "10.0.105.221"}
2026-01-23T20:45:50Z DEBUG wc 10.0.105.221 initializing SSH connection
2026-01-23T20:45:50Z DEBUG wc 10.0.105.221 SSH dial {"IP Address": "10.0.105.221", "error": "ssh: handshake failed: curve25519: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"}
2026-01-23T20:45:50Z DEBUG ignition parsed {"machineconfig": "rendered-worker-09eef1c1a8ca02c94c49106be05d1679", "using ignition version": "3.5.0"}
2026-01-23T20:45:50Z DEBUG ignition processing kubelet-ca {"ControllerConfig": "machine-config-controller"}
2026-01-23T20:45:50Z DEBUG controllers.configmap Reconciling {"ConfigMap": {"name":"windows-services-10.20.1-06b7a45","namespace":"openshift-windows-machine-config-operator"}}
2026-01-23T20:46:50Z DEBUG wc 10.0.105.221 SSH dial {"IP Address": "10.0.105.221", "error": "ssh: handshake failed: curve25519: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"}
2026-01-23T20:47:06Z DEBUG controllers.metrics reconciling {"name": "/openshift-windows-machine-config-operator"}
2026-01-23T20:47:50Z DEBUG wc 10.0.105.221 SSH dial {"IP Address": "10.0.105.221", "error": "ssh: handshake failed: curve25519: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"}
- blocks
-
WINC-1586 Add periodic CI job that runs Windows E2E tests on FIPS-enabled clusters
-
- To Do
-